View Andy's keynote slides or watch the video at the end: Mind over Matter: Managing Risk with Psychology Instead of Brute Force
Learn more about Kona Security Solutions: http://www.akamai.com/html/solutions/kona-solutions.html
Learn more about Akamai's presence at RSA Conference 2013: http://www.akamai.com/html/ms/rsa_conference_2013.html
2. The Problem: A Typical Business Risk Conversation
Business Owner Security
Here is my project. Here’s our ISO 27002 checklist of
Is it safe? every mistake anyone’s ever made.
Prove you haven’t.
That’s really long. Can
you fill it out for me?
Sure. You have a bunch
of esoteric risk here.
Really? Is that a
showstopper? If I say yes, you’re going to override
me, aren’t you? And if I say no, I’m
in trouble if this goes wrong...
4. Steady State: Security Value Balances Perceived Risk
SECURITY VALUE
PERCEIVED RISK
Low perceived risk leads to lower resource investment!
Low perceived capability leads to lower perceived risk!
5. Peltzman Effect
What your organization thinks it can get away with
organization
thinks
Organizations
People do.
don’t think:
6. People
What Do Organizations Consider Risk?
Lizards
Business Owner
Is my P/L good? Will CEO
I gain market share? Is this profitable?
Sales CFO
Can I meet my Is this a good allocation
quota with this? of resources?
Employees Security
Will I have a job? Is this safe?
8. Unmitigated Risk Psychosis
SECURITY VALUE
PERCEIVED RISK
A C T U A L R I S K*
*not actually actual risk
Attempts to leave residual risk may result in new risk budgets!
9. Training Lizards
SECURITY VALUE
PERCEIVED RISK
A C T U A L R I S K*
Risk Management can be trained like any other muscle.
10. Where Is Your Residual Risk?
Business Owner CEO
Competitors are gaining. Products A & B are high
Have to move faster! risk.
C should be safer.
Sales CFO
That last product didn’t sell. You came in over budget. Are your
I’ll sell something else. numbers accurate?
Employees Security
This business is unprofitable. Here’s our ISO 27002 checklist of
Update my resume! every
mistake anyone’s ever made.
Prove you haven’t.
11. Success: A Better Business Risk Conversation
Business Owner Security
Here is my project. I don’t know. Is it?
Is it safe?
Here’s how to think about
Wait, what?
safety. Do you think your
product is safe?
Ummm....
Great, glad to hear it.
Here’s my assessment of Can you fix those outliers
my risk. in your next release?
I think this is reasonably
safe.
13. Takeaway: Improve Security Value
Goal of any security program: dv/dt > 0
Beating your head against the wall: focusing on increasing resources.
Goal: dr/dt > 0
A good security program wants to create surplus.
Goal: dc/dt > 0
14. Questions, Answers, and Pontifications
Andy Ellis
aellis@akamai.com
@csoandy
http://www.csoandy.com/